Google Glass – Yup it’s Hackable!

Google_Glass

As the way cool Google Glasses roll out to customers, it makes one wonder, what if it could be hacked?

Well, it can!

Early adopters have begun to receive their Google Glasses, the Android based wearable computer, and some couldn’t help but to try to hack it. And hack it they did.

Android and iOS developer Jay Freeman hacked his in just a couple hours, while he ate dinner…

It took me two hours while I was having dinner with friends at the time,Freeman told Forbes.The implementation from B1nary is for normal Android tablets and phones, I learned how it worked and then did the same thing on Glass…which was quite simple.

Being an Android based system, it is susceptible to the same attacks that affect smart phones and tablets.

Sadly, due to the way Glass is currently designed, it is particularly susceptible to the kinds of security issues that tend to plague Android devices,” Freeman wrote on his blog.

The one saving grace of Android’s track record on security is that most of the bugs people find in it cannot be exploited while the device is PIN-code locked. Google’s Glass, however, does not have any kind of PIN mechanism: when you turn it on, it is immediately usable.”

But apparently that was the point, according to a Google developer, the units are shipped so they can be hacked!

Not to bring anybody down… but seriously… we intentionally left the device unlocked so you guys could hack it and do crazy fun shit with it.  I mean, FFS, you paid $1500 for it… go to town on it.  Show me something cool.

That’s cool that they want people to go nuts on these things to find out what really can be done with them. I just have one question. What would a Denial of Service look like on Google Glass?

I mean will people be walking around bumping into things?

Or will the Google Glass user just stand there in a zombie like state with drool dripping down their chin?

Inquiring minds want to know!  🙂

620,000 Android Phones in China hit by Most Costly Malware in History

Flag of the People's Republic of China

China may be the source for a lot of international cyber attacks and malware, but they get hit by it too. 620,000 Android phones in China were infected with a nasty virus that takes over the phone, collects personal information from it and begins to send costly  text messages to benefit the malware maker.

Yesterday, security research company NQ Mobile created a press release about the discovery of the Android malware they dubbed “Bill Shocker”. Based on their findings they claim, “Bill Shocker is an SDK designed by malware developers that infects several of the most popular apps in China, including Tencent QQ Messenger and Sohu News.”

Bill Shocker then downloads itself in the background and takes over control of the phone, including dialing and texting features. And “Once the malware has turned the phone into a “zombie,” the infection uses the device to send text message to the profit of advertisers. In many cases, the threat will overrun the user’s bundling quota, which subjects the user to additional charges,” the report says.

The malware could affect phones outside China and has the potential to be the most costly malware in history, according to NQ.

So what can you do to keep your phone safe? NQ offers several tips to avoid infection including:

  • Only download apps from trusted sources
  • Never accept application requests from unknown sources
  • Closely monitor permissions requested by any application
  • And be alert for abnormal behavior from your smart device

NQ Mobile also offers a mobile device security solution that is already protects against threats like Bill Shocker.

With mobile malware becoming more prevalent, Bring Your Own Device (BYOD) is really starting to increase the attack surface of corporate networks. Companies really need to take a good look at their Mobile user security policy if they haven’t done so already.

Android 4.0.4 Zero-Day Found, Galaxy S3 Pwned at Pwn2Own

Today at the EUSecWest conference “PWN2OWN” contest in Amsterdam, MWR labs used a zero-day exploit to pwn an Android based Galaxy S3. MWR Labs used Mercury (their custom made framework to find vulnerabilities) to grab text messages, contacts, pictures and more from the phone:

“MWR showed an exploit against a previously undiscovered vulnerability on a Samsung Galaxy S3 phone running Android 4.0.4. Through NFC it was possible to upload a malicious file to the device, which allowed us to gain code execution on the device and subsequently get full control over the device using a second vulnerability for privilege escalation.

The same vulnerability could also be exploited through other attack vectors, such as malicious websites or e-mail attachments.”

Check out their website for more information.

Security and Privacy Concerns for Mobile Devices

BYOD (Bring your own Device) is one of the latest tech fads. Bring in that tablet or smart phone from home and we will hook it right up to our corporate network for you! What a great thing, and the IT staff just loves it too!  🙂

But there are some serious concerns about mobile devices. For example in March of this year, Sen. Charles Schumer talked with both Apple and Google over privacy concerns. It seems that some mobile apps were grabbing private photos and contact information and downloading them to servers or other sites – without the user’s permission…

It sends shivers up the spine to think that one’s personal photos, address book, and who knows what else can be obtained and even posted online without consent,” Senator Schumer wrote in a letter to the FTC.

Listing the permissions that an App wants during install is helpful. For example, on an Android device you are shown what the app wants access to – network access, phone access – but does everyone take the time to read them before they install the latest “gotta have” app? And even though apps are checked before being placed on Apple’s Marketplace, one common tactic that malicious programmers have used is to download malware with app updates.

And it is not just private data concerns that have been raising alarms. What about the video and recording features of smart devices or even the upcoming “Google Glasses”? Sure these are great in emergency situations, but what about at private meetings, secured facilities or around classified information?

An article in June from NY Times mentions some of the techniques that could be used to block smart phone recording features. SpyFinder camera detectors, Google algorithms for un-tagging people in photos, personal infrared and white noise generators are all mentioned.

Smart devices are excellent to use and a great convenience. But do you want them sharing your private contact information or personal photos? Do you really want recording devices and a possible additional malware platform inside your facility?

These are some of the security and privacy concerns that must be considered for both the individual user and the corporate environment.